Insurance CEOs may need to go back to basics to ensure their cyber investments are protecting against the right risks in the right way.
Insurers confidently deal with massive risks every day. But when it comes to their cyber security, they are not so confident. According to a recent survey of more than 100 insurance CEOs, less than one-in-five believes their organisation is fully prepared for a cyber-event. And 42 percent think cyber security is their most pressing risk, far outweighing their concerns about other key risk areas such as regulatory risk.
Clearly, cyber security is at the very top of the executive agenda. And our data suggests that CEOs plan to devote significant investment towards improving their cyber security stance over the next few years.
While this is certainly encouraging news – more investment is urgently needed – our experience working with large insurance organisations suggests that CEOs may need to take pause to rethink their cyber security program if they hope to achieve real results from their investments.
Insurance CEOs have good reason to worry. In comparison to other financial services sectors – banking in particular – the insurance industry has lagged in cyber investment, focus and capabilities. In part, this is due to urgency: banks were getting pummelled by cyber-attacks and needed to move quickly to protect their reputations, customers and bottom lines. The cyber war has traditionally been much quieter on the insurance front.
All signs suggest this is about to change. As other financial sectors become more secure, attackers are moving on to find weaker targets and this is bringing insurance companies into the firing line, and the stakes are very high as insurers hold enormous amounts of data on individual health and personal property for example. At the same time, regulators have started to ask insurance CEOs difficult questions about their cyber resilience position. And they have not always been happy with the answers they have been receiving. Letters have been flying between CEOs and regulators.
Insurance CEOs also increasingly see cyber security as a basic requirement for doing business. Many are now starting to develop cyber insurance policies, seizing the opportunity to better mitigate losses due to customer cyber events. But they are recognising that – to be a credible player in the cyber insurance market – they need to start by getting their own house in order. At the same time, they are realising that shifting customers to digital channels depends on maintaining customer trust and that, too, requires strong cyber security discipline.
As a result, forward-looking insurers are now working to improve their capabilities and create alignment between their internal and external cyber risk management activities.
Let us be clear: insurers have not been ignoring their cyber security responsibilities. The vast majority have made significant progress over the past few years and most now boast important capabilities, controls and processes. They are certainly not an ‘easy target’. But they are also far from secure.
Likely the greatest challenge facing insurers comes down to a lack of basic discipline: key security patches are not implemented; access management (particularly off-boarding of employees and contractors) is not controlled; information and IT asset registers are out of date; and rapidly emerging threats are not being properly tracked. This is largely about keeping up the rigour around the controls and processes that are already in place.
Many insurers are also struggling with inconsistent and fragmented cyber security capabilities across lines of business and markets; often the legacy of years of M&A activity. So while, in most cases, cyber capabilities have been decentralised, resulting in significant control challenges at the Group level, our experience indicates that cyber security must be managed at a centralised level (allowing for adaptation by business units and markets to suit unique circumstances and requirements).
Most insurers will also need to focus on honing their response and recovery capabilities. To date, most have been lucky to avoid a full-scale security crisis. But this has allowed some organisations to grow complacent and let their plans and processes become stale. Far too few organisations run regular drills or maintain updated roles and responsibilities.
If insurers are serious about improving their cyber security position, the first thing they need to do is spend some time assessing the current situation. They, and their executive committees, must improve their awareness of the risks, the existing controls and the gaps in their position. They must understand the urgency of the situation and articulate that urgency across the organisation. And they must put cyber security at the top of their personal agendas.
Before investing significant sums into cyber security, our experience suggests that insurance CEOs may want to focus on five key areas: